The European Union's General Data Protection Regulation (GDPR) -- effective May 25, 2018 -- has been the subject of much discussion at ICANN, which has been working on how the regulation will impact the "whois" database of domain name registrations.
As of this writing, it seems likely that large parts of the whois databases will become empty, at least for general public consumption as has been the longstanding practice.
If that occurs, in many instances it will be impossible to identify the registrant of a particular domain name, or the registrant's contact information. This will have a tremendous impact on domain name disputes, including under the Uniform Domain Name Dispute Resolution Policy (UDRP).
Here are three important ways in which the GDPR is likely to affect how trademark owners pursue cybersquatters:
The UDRP allows a trademark owner to include multiple domain names in a single complaint if all of the domain names are registered by "the same domain-name holder." Including multiple domain names, sometimes referred to as "consolidation," is incredibly efficient, as I've written before.
There always have been challenges in identifying additional domain names to include in a complaint, largely because there is no publicly available, comprehensive "reverse whois" service that can find related domain names; because cybersquatters often use multiple identities or aliases in registering domain names; and because privacy and proxy services can mask a registrant's true identity.
Still, at WIPO, the largest provider of domain name dispute services, the average number of domain names per complaint was 2.07 last year. The largest complaint (which I filed in 2009) included more than 1,500 domain names.
But the GDPR is likely to make consolidation even more challenging. If a trademark owner identifies a single domain name it wants to pursue via the UDRP or another dispute policy, but it doesn't even know who the registrant of the domain name is, then it seems all but impossible to identify (at least with certainty) additional domain names that may be registered by the same domain name holder.
Therefore, it is likely that the average number of domain names per complaint will drop, forcing trademark owners to file more complaints to pursue the same number of domain names or to abandon pursuing some domain names altogether. Either way, the result will be a more expensive and time-consuming process for trademark owners, probably with less effectiveness.
One of the three required elements of every UDRP complaint is proving that the disputed domain name "has been registered and is being used in bad faith." And one way of establishing bad faith is by showing a "pattern" of conduct.
"UDRP panels have held that establishing a pattern of bad faith conduct requires more than one, but as few as two instances of abusive domain name registration," according to the WIPO Overview. "This may include a scenario where a respondent, on separate occasions, has registered trademark-abusive domain names, even where directed at the same brand owner."
Therefore, it's smart practice to search previous UDRP decisions before filing a complaint to see if a cybersquatter has lost any previous cases and, if so, to cite those cases in the UDRP complaint. Since all of the UDRP service providers offer some type of search tool, it's a pretty simple thing to do.
While the search tools aren't going away under the GDPR, not knowing what to search for (if the registrant's identity is unknown) will make this task impossible. In other words, how can you find out if a domain name registrant has engaged in a pattern of cybersquatting if you don't even know who the domain name registrant is?
Fortunately, this obstacle won't make proving the bad faith element impossible, but it may make it more challenging in some cases because it effectively eviscerates one definition of bad faith.
Rights or Legitimate Interests
Another of the three required elements of every UDRP complaint is proving that the domain name registrant has "no rights or legitimate interests in respect of the domain name." This has always been one of the more challenging (if often overlooked) requirements, because it requires a trademark owner to prove a negative.
As the WIPO Overview says: "While the overall burden of proof in UDRP proceedings is on the complainant, panels have recognized that proving a respondent lacks rights or legitimate interests in a domain name may result in the often impossible task of 'proving a negative', requiring information that is often primarily within the knowledge or control of the respondent."
The GDPR will make it even more challenging to prove this element. For example, if you don't who a domain name registrant is, how can you determine whether the registrant has been "commonly known by the domain name" -- one of the ways in which the UDRP allows a registrant to demonstrate that it has rights or legitimate interests.
Yes, privacy and proxy services already have made this element difficult at times, but at least some of the services (notably, Domains By Proxy) will disclose the identity of an "underlying registrant" to a trademark owner under certain circumstances, allowing for a better evaluation of a UDRP case before deciding whether to file a complaint. The GDPR likely won't allow for this same opportunity.
Despite these (and other) challenges created by the GDPR, the UDRP itself (and other domain name dispute policies) are not changing. In other words, they will remain a trademark owner's most effective tool to combat cybersquatting.